What does it cover? Who does it apply to? What if I am not compliant?
Uncertainty and confusion surrounds the Payment Card Industry Data Security Standard (PCI DSS). These are just a few of the questions many organisations with contact centres that take card payments for goods and services are asking. In 2013, an astonishing 10.7 billion card transactions were made in the UK alone (UK Cards Association) many of which were taken within contact centres. With today's payment method of choice being a credit or debit card, contact centres need to ensure they understand and are compliant with PCI DSS.
Complying is easier than you might think, especially as well-run organisations and their contact centres will already have security procedures in place that protect customer data. Over two blog posts, we will look to share six key facts to guide your understanding on what the standard covers, who it applies to and what the implications are if an organisation is not compliant:
1. What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a technical and operational requirement which is set by the PCI Security Standards Council to protect and secure cardholder data and information. The standard applies to all organisations that store, process or transmit cardholder data. This means that the entire payment process from point of sale from a merchant, through to the service provider payment solution and to the acquirer or bank, must all be validated to the standard, thus making it PCI DSS compliant.
For example, the entire process from a merchant's contact centre through a self-service telephony payment solution to the acquirer, such as the acquiring bank, must be validated in order to be PCI DSS compliant.
So in short, PCI DSS is a global mandatory security requirement for organisations and merchants in order to protect customer card data from being hacked.
2. Who does PCI DSS really apply to?
PCI DSS applies to all organisations that store, process or transmit cardholder data. This means all merchants of goods and services who accept or process payment cards such as debit or credit cards, acquirers who are financial institutions that maintain the relationships with merchants that accept payment cards such as the acquiring bank, and service providers who deploy payments solutions as part of the payment process, such as Netcall.
3. What are the requirements for becoming PCI DSS compliant?
The PCI DSS has a minimum set of 12 requirements for protecting cardholder data which must be adhered to in order to be fully compliant. Here is a quick overview to build your understanding:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programmes
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security personnel
Some payment service provider services will allow your organisation to limit the scope of an audit, whilst some technology vendors can supply accredited on premise solutions that help achieve compliance. Either option could be suitable, making the supplier an advantageous partner for helping your organisation become PCI DSS compliant.
Watch out for Part 2 of this blog series which will share the final three key facts.